ansible/roles/copr/backend/tasks/main.yml

---
- name: Mount fs
  import_tasks: "mount_fs.yml"

- name: Setup networking
  import_tasks: "network.yml"
  when: datacenter != 'aws'

- name: Create obsrun group for `sign' command
  group: name=obsrun

# pre-create copr user and group with predefined uid and gid
- group: name=copr gid=986
- user: name=copr group=copr uid=989 groups=obsrun

- name: Install copr-backend and copr-selinux
  dnf:
    state: present
    name: copr-backend

- name: Add additional packages for copr-backend
  dnf:
    state: present
    name:
      - python3-boto  # for aws ansible plugin
      - python3-copr-messaging
      - python3-glanceclient
      - python3-neutronclient
      - python3-keystoneclient
      - python3-dateutil
      - php-cli
      - nfs-utils
      - nagios-plugins-http
  tags:
    - packages

# - name: Patch for prunerepo, issue 1090
#  patch: src=patches/prunerepo-dataloss.patch
#         dest=/usr/bin/prunerepo
#  tags: patches

- name: Install openstackclient for image preparation
  dnf: state=present name=python3-openstackclient
  when: devel|bool

- name: Make copr dirs
  ansible.builtin.file: state=directory path={{ item }}
  with_items:
  - /var/lib/copr/jobs
  - /var/lib/copr/public_html/results

- name: Setup dirs there
  ansible.builtin.file: state=directory path="/home/copr/{{ item }}" owner=copr group=copr mode=0700
  with_items:
  - cloud
  - .ssh

- name: Setup privkey for copr user
  ansible.builtin.copy: src="{{ private }}/files/copr/buildsys.priv" dest=/home/copr/.ssh/id_rsa owner=copr group=copr mode=600

- name: Setup copr user ssh config file
  ansible.builtin.template:
    src: "ssh_config.j2"
    dest: /home/copr/.ssh/config
    owner: copr
    group: copr
    mode: "0600"
  tags:
    - backend_to_hv_ssh_config
    - provision_config

- name: Check known_hosts file
  ansible.builtin.command: stat /home/copr/.ssh/known_hosts
  register: hostsstat
  check_mode: no
  changed_when: "1 != 1"
  ignore_errors: yes

- name: Create empty known_hosts
  ansible.builtin.file: state=touch dest=/home/copr/.ssh/known_hosts owner=copr group=copr mode=600
  when: hostsstat.rc == 1

- name: Replace bashrc for copr user
  ansible.builtin.copy: src="copr_bashrc" dest=/home/copr/.bashrc owner=copr group=copr mode=600

- name: Auth_key so we can login to localhost as the copr user from the copr user
  authorized_key: user=copr key="{{ item }}"
  no_log: true
  with_file:
  - "provision/files/buildsys.pub"

- name: Copy .boto file
  ansible.builtin.copy: src="boto" dest=/home/copr/.boto owner=copr group=copr

# setup webserver
- name: Install lighttpd.conf
  ansible.builtin.template: src="lighttpd/lighttpd.conf" dest=/etc/lighttpd/lighttpd.conf owner=root group=root mode=0644
  notify:
  - Restart lighttpd
  tags:
  - config
  - lighttpd_config

- name: Create a txt file with Pulp redirects
  file: state=touch dest=/var/lib/copr/pulp-redirect.txt owner=copr group=copr mode=644

- name: Add custom lighttpd lua scripts
  ansible.builtin.template: src="lighttpd/{{ item }}.j2" dest="/etc/lighttpd/{{ item }}" owner=root group=root mode=644
  with_items:
    - content-encoding-gzip-if-exists.lua
    - pulp-redirect.lua
  notify:
  - Restart lighttpd
  tags:
  - config

- name: Letsencrypt cert
  include_role: name=copr/certbot
  tags:
  - config
  - certbot

- name: Allow lighttpd set fds limit
  seboolean: name=httpd_setrlimit state=yes persistent=yes

- name: Create directory for compress module of lighttpd
  ansible.builtin.file: path=/var/cache/lighttpd/compress owner=lighttpd group=lighttpd mode=0644 state=directory

# mime default to text/plain and enable dirlisting for indexes
- name: Update lighttpd configs
  ansible.builtin.copy: src="lighttpd/{{ item }}" dest="/etc/lighttpd/conf.d/{{ item }}" owner=root group=root mode=0644
  with_items:
  - dirlisting.conf
  - mime.conf
  notify:
  - Restart lighttpd
  tags:
  - config

- name: Install custom lighttpd template for directory listings
  ansible.builtin.template: src="lighttpd/dir-generator.php.j2" dest="/var/lib/copr/public_html/dir-generator.php" owner=copr group=copr mode=0755

- name: Install resalloc CGI script
  ansible.builtin.copy:
    src: cgi-resalloc
    dest: /var/www/
    setype: httpd_sys_script_exec_t
    mode: "0755"

- name: Install the helper scripts for lighttpd log rotation
  ansible.builtin.copy:
    src: "{{ item }}"
    dest: /usr/local/bin/{{ item }}
    mode: "0755"
    owner: root
    group: root
  with_items:
    - copr-lighty-logger
    - copr-lighty-reopen-logs
  register: logrotate_scripts
  tags: logrotate

- name: Fix selinux context on helper scripts
  ansible.builtin.command: restorecon -irv /usr/local/bin/copr-lighty*
  when: logrotate_scripts.changed
  tags: logrotate

- name: Install custom logrotate config for lighttpd
  ansible.builtin.template: src="logrotate/lighttpd.j2" dest=/etc/logrotate.d/lighttpd owner=root group=root mode=644
  tags: logrotate

- name: Start webserver
  service: state=started enabled=yes name=lighttpd

# setup dirs for the ansible execution off of provisioning
# - name: Dirs from provision
#  ansible.builtin.file: state=directory path="/home/copr/provision/{{ item }}" owner=copr group=copr
#  with_items:
#  - action_plugins
#  - library
#  tags:
#  - provision_config
#
- name: Calculate the maximum resalloc workers per architecture
  set_fact: "max_{{ item }}_workers={{ builders | community.general.json_query('*.'+item+'[0]') | sum() }}"
  with_items:
    - aarch64
    - ppc64le
    - x86_64
    - s390x
  tags:
  - provision_config

- name: Calculate max number of workers
  set_fact: "max_workers={{ max_x86_64_workers|int + max_aarch64_workers|int + max_ppc64le_workers|int + max_s390x_workers|int }}"
  tags:
  - provision_config

- name: Print max arch workers
  debug: "var=max_{{ item }}_workers"
  with_items:
    - x86_64
    - aarch64
    - s390x
    - ppc64le
  tags:
  - provision_config

- name: Resalloc
  import_tasks: resalloc.yml
  tags:
  - resalloc

- name: Put ansible.cfg for all this into /etc/ansible/ on the system
  ansible.builtin.copy: src="provision/ansible.cfg" dest=/etc/ansible/ansible.cfg
  tags:
  - provision_config

- name: Install .ansible.cfg for copr user
  ansible.builtin.copy: src=ansible.cfg dest=/home/copr/.ansible.cfg
        owner=copr group=copr mode=600
  tags:
  - provision_config

- name: Setup provision directory
  include_tasks: setup_provisioning_environment.yml
  vars:
    cloud_vars: true
    provision_directory: /home/copr/provision
    provision_user: copr
  tags:
  - always

- name: Copy image preparation scripts
  ansible.builtin.copy: src="{{ item }}" dest=/usr/local/bin/
        owner=root mode=755
  with_fileglob:
    - copr-builder-image-*.sh
  when: devel|bool
  tags:
  - provision_config

- name: Testing fixture
  ansible.builtin.copy: dest="/home/copr/cloud/ec2rc.variable" content=""
  when: devel|bool

- name: Copy copr-be.conf
  ansible.builtin.template: src="copr-be.conf.j2" dest=/etc/copr/copr-be.conf  owner=root group=copr mode=640
  notify:
  - Restart copr-backend
  tags:
  - config
  - copr_infrastructure_password
  - provision_config

- name: Create messaging config directory
  ansible.builtin.file: dest=/etc/copr/msgbuses state=directory owner=copr group=copr mode=0700
  when: copr_messaging
  tags:
  - config

- name: Install messaging config
  ansible.builtin.template: src="fedora-messaging.conf.j2"
            dest=/etc/copr/msgbuses/fedora-messaging.conf
            owner=copr group=copr mode=0600
  when: copr_messaging
  notify:
  - Restart copr-backend
  tags:
  - config

- name: Copy sign.conf
  ansible.builtin.template: src=sign.conf dest=/etc/sign.conf  owner=root group=copr mode=640
  tags:
  - config

- name: Get owner for results dir
  stat: path=/var/lib/copr/public_html
  check_mode: no
  register: copr_results_dir_st

- name: Change owner for results dir if it isn't copr
  ansible.builtin.shell: "chown -R copr:copr /var/lib/copr/public_html"
  when: '"copr" not in copr_results_dir_st.stat.pw_name'

- ansible.builtin.command: "ls -dZ /var/lib/copr/public_html/"
  register: public_html_ls
  check_mode: no
  changed_when: false

- name: Update selinux context for results if root folder does not have proper type
  ansible.builtin.command: "restorecon -vvRF /var/lib/copr/public_html/"
  when: "public_html_ls is defined and 'copr_data_t' not in  public_html_ls.stdout"

# - name: Install cert to access fed-cloud09
#   # TODO: remove this when fed-cloud09 receives external cert
#   import_tasks: install_cloud_cert.yml

- name: Enable and run copr-backend services
  service: name="{{ item }}" enabled=yes state=started
  when: not services_disabled|bool
  with_items:
  - redis       # TODO: .service in copr-backend should depend on redis
  - "{{ copr_backend_target }}"

- name: Access.redhat.com offline token file
  set_fact: "rhn_offline_token_file=/var/lib/resallocserver/.access.redhat.com-copr-team"
  tags:
    - clean_rh_subscriptions

- name: Install offline token for copr-team in RHSM
  ansible.builtin.copy:
    content: "{{ copr_red_hat_subscription_offline_token }}"
    dest: "{{ rhn_offline_token_file }}"
    mode: "0600"
    owner: resalloc
    group: resalloc
  tags:
    - clean_rh_subscriptions

- name: Install cleanup-unused-vms script
  ansible.builtin.template:
    src: "{{ item }}"
    dest: /usr/local/bin/{{ item }}
    mode: "0755"
  loop:
    - cleanup-unused-vms-from-redis
    - cleanup-unused-redhat-subscriptions
  tags:
    - clean_rh_subscriptions

- name: Setup crontab for VMs
  cron: name="cleanup nova VMs periodically"
        job="/usr/bin/cleanup_vm_nova.py"
        minute="*/20"
        user=copr
        state=absent

- name: Setup crontab for cleaning up redis
  cron: name="prune redis VM db periodically"
        job="/usr/local/bin/cleanup-unused-vms-from-redis &>> /var/log/copr-backend/cleanup-redis-vms.log"
        minute="50"
        user=copr
        state=absent

- name: Crontab for cleaning resalloc VMs
  cron: name="cleanup nova VMs periodically"
        job="true /usr/local/bin/cleanup-vms-aws-resalloc &>> /var/log/resallocserver/cron-cleanup-vms-aws.log"
        minute="*/10"
        user=resalloc
        state=absent

- name: Crontab for cleaning-up unused subscriptions
  cron: name="cleanup unused Red Hat subscribed systems"
        job="/usr/local/bin/cleanup-unused-redhat-subscriptions &>> /var/log/resallocserver/cron-cleanup-rh-subscriptions.log"
        minute="*/30"
        user=resalloc
  tags:
    - clean_rh_subscriptions

- name: Setup monitoring
  import_tasks: "monitoring.yml"

# Three tasks for handling our custom selinux module
- name: Ensure a directory exists for our custom selinux module
  ansible.builtin.file: dest=/usr/local/share/copr state=directory

- name: Copy over our custom selinux module
  ansible.builtin.copy: src=selinux/copr_rules.pp dest=/usr/local/share/copr/copr_rules.pp
  register: selinux_module

- name: Install our custom selinux module
  ansible.builtin.command: semodule -i /usr/local/share/copr/copr_rules.pp
  when: selinux_module is changed

- name: Setup AWS access
  import_tasks: "aws.yml"
  tags:
  - config
  - aws_config

- name: Setup Pulp
  import_tasks: "pulp.yml"
  tags:
  - config
  - pulp

- name: Copr-ping-account
  import_tasks: copr-ping.yml
  tags: copr_ping

- name: Add lighttpd user to the resalloc group
  user:
    name: lighttpd
    groups: resalloc
    append: yes

- name: Install daily custom copr-backend crontab
  ansible.builtin.copy: src=cron.daily/copr-backend dest=/etc/cron.daily/
        mode=0755
  tags: [cron_tasks]

- name: Configure options in node exporter
  lineinfile:
    path: /etc/default/prometheus-node-exporter
    regexp: '^ARGS='
    line: 'ARGS=--collector.systemd'
    backrefs: yes
  notify: Restart node_exporter
  tags:
    - prometheus_node_exporter